From cc336cf9c17283684df7b850e010d669122126a5 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 16 Apr 2010 16:23:45 -0400 Subject: Use escapes in DNs instead of quoting. Based on initial patch from Pavel Zuna. --- install/share/bootstrap-template.ldif | 4 ++-- ipalib/plugins/pwpolicy.py | 43 +++++++++++++++++++++++------------ ipaserver/install/dsinstance.py | 5 +++- ipaserver/install/ldapupdate.py | 3 +++ 4 files changed, 37 insertions(+), 18 deletions(-) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index b1922d992..bde1f20a0 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -190,7 +190,7 @@ objectclass: top objectclass: nsContainer cn: cosTemplates -dn: cn="cn=inactivated,cn=account inactivation,cn=accounts,$SUFFIX", cn=cosTemplates,cn=accounts,$SUFFIX +dn: cn=cn\=inactivated\,cn\=account inactivation\,cn\=accounts\,$ESCAPED_SUFFIX,cn=cosTemplates,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: cosTemplate @@ -203,7 +203,7 @@ changetype: add objectclass: top objectclass: groupofnames -dn: cn="cn=activated,cn=account inactivation,cn=accounts,$SUFFIX", cn=cosTemplates,cn=accounts,$SUFFIX +dn: cn=cn\=activated\,cn\=account inactivation\,cn\=accounts\,$ESCAPED_SUFFIX,cn=cosTemplates,cn=accounts,$SUFFIX changetype: add objectClass: top objectClass: cosTemplate diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py index f3338ecf9..bf8abcf82 100644 --- a/ipalib/plugins/pwpolicy.py +++ b/ipalib/plugins/pwpolicy.py @@ -76,6 +76,7 @@ def make_cos_entry(group, cospriority=None): cos_dn = DN of the new CoS entry cos_entry = entry representing this new object """ + ldap = api.Backend.ldap2 groupdn = find_group_dn(group) @@ -83,7 +84,9 @@ def make_cos_entry(group, cospriority=None): if cospriority: cos_entry['cospriority'] = cospriority cos_entry['objectclass'] = ['top', 'costemplate', 'extensibleobject', 'krbcontainer'] - cos_dn = 'cn=\"%s\", cn=cosTemplates, cn=accounts, %s' % (groupdn, api.env.basedn) + cos_dn = ldap.make_dn_from_attr( + 'cn', groupdn, 'cn=cosTemplates,%s' % api.env.container_accounts + ) return (cos_dn, cos_entry) @@ -146,7 +149,7 @@ def unique_priority(ldap, priority): try: (entries, truncated) = ldap.find_entries( - attr_filter, attrs, 'cn=cosTemplates,%s' % (api.env.container_accounts), scope=ldap.SCOPE_ONELEVEL + attr_filter, attrs, 'cn=cosTemplates,%s' % api.env.container_accounts, scope=ldap.SCOPE_ONELEVEL ) return False except errors.NotFound: @@ -248,8 +251,8 @@ class pwpolicy_add(crud.Create): # Link the two entries together cos_entry['krbpwdpolicyreference'] = policy_dn - ldap.add_entry(policy_dn, policy_entry, normalize=False) - ldap.add_entry(cos_dn, cos_entry, normalize=False) + ldap.add_entry(policy_dn, policy_entry) + ldap.add_entry(cos_dn, cos_entry) # The policy is what is interesting, return that (dn, entry_attrs) = ldap.get_entry(policy_dn, policy_entry.keys()) @@ -308,9 +311,11 @@ class pwpolicy_mod(crud.Update): if not unique_priority(ldap, options['cospriority']): raise errors.ValidationError(name='priority', error=_('Priority must be a unique value.')) groupdn = find_group_dn(group_cn) - cos_dn = 'cn="%s", cn=cosTemplates, cn=accounts, %s' % (groupdn, api.env.basedn) - self.log.debug('%s' % cos_dn) - ldap.update_entry(cos_dn, dict(cospriority = options['cospriority']), normalize=False) + cos_dn = ldap.make_dn_from_attr( + 'cn', groupdn, + 'cn=cosTemplates,%s' % self.api.env.container_accounts + ) + ldap.update_entry(cos_dn, dict(cospriority = options['cospriority'])) cospriority = options['cospriority'] del options['cospriority'] entry_attrs = self.args_options_2_entry(*args, **options) @@ -358,12 +363,14 @@ class pwpolicy_del(crud.Delete): # Ok, perhaps the group was deleted, try to make the group DN rdn = ldap.make_rdn_from_attr('cn', group_cn) group_dn = ldap.make_dn_from_rdn(rdn, api.env.container_group) - cos_dn = 'cn=\"%s\", cn=cosTemplates, cn=accounts, %s' % (group_dn, api.env.basedn) + cos_dn = ldap.make_dn_from_attr( + 'cn', group_dn, + 'cn=cosTemplates,%s' % self.api.env.container_accounts + ) policy_entry = self.args_options_2_entry(*args, **options) (policy_dn, policy_entry) = make_policy_entry(group_cn, policy_entry) - - ldap.delete_entry(policy_dn, normalize=False) - ldap.delete_entry(cos_dn, normalize=False) + ldap.delete_entry(policy_dn) + ldap.delete_entry(cos_dn) return dict( result=True, value=group_cn, @@ -424,8 +431,11 @@ class pwpolicy_show(Method): if 'group' in options: groupdn = find_group_dn(options['group']) - cos_dn = 'cn="%s", cn=cosTemplates, cn=accounts, %s' % (groupdn, api.env.basedn) - (dn, cos_attrs) = ldap.get_entry(cos_dn, normalize=False) + cos_dn = ldap.make_dn_from_attr( + 'cn', groupdn, + 'cn=cosTemplates,%s' % self.api.env.container_accounts + ) + (dn, cos_attrs) = ldap.get_entry(cos_dn) entry_attrs['cospriority'] = cos_attrs['cospriority'] else: entry_attrs['cn'] = _global @@ -462,8 +472,11 @@ class pwpolicy_find(Method): _convert_time_for_output(e[1]) e[1]['dn'] = e[0] groupdn = find_group_dn(e[1]['cn'][0]) - cos_dn = 'cn="%s", cn=cosTemplates, cn=accounts, %s' % (groupdn, api.env.basedn) - (dn, cos_attrs) = ldap.get_entry(cos_dn, normalize=False) + cos_dn = ldap.make_dn_from_attr( + 'cn', groupdn, + 'cn=cosTemplates,%s' % self.api.env.container_accounts + ) + (dn, cos_attrs) = ldap.get_entry(cos_dn) e[1]['cospriority'] = cos_attrs['cospriority'] entries = tuple(e for (dn, e) in entries) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index f535b7ba8..61887dde8 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -34,6 +34,7 @@ import service import installutils import certs import ldap +from ldap.dn import escape_dn_chars from ipaserver import ipaldap from ipaserver.install import ldapupdate from ipaserver.install import httpinstance @@ -209,7 +210,9 @@ class DsInstance(service.Service): REALM=self.realm_name, USER=self.ds_user, SERVER_ROOT=server_root, DOMAIN=self.domain, TIME=int(time.time()), UIDSTART=self.uidstart, - GIDSTART=self.gidstart, HOST=self.host_name) + GIDSTART=self.gidstart, HOST=self.host_name, + ESCAPED_SUFFIX= escape_dn_chars(self.suffix.lower()), + ) def __create_ds_user(self): user_exists = True diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index c03459187..dff94783c 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -31,6 +31,7 @@ from ipapython import entity, ipautil from ipalib import util, uuid from ipalib import errors import ldap +from ldap.dn import escape_dn_chars import logging import krbV import platform @@ -76,6 +77,8 @@ class LDAPUpdate: self.sub_dict["DOMAIN"] = domain if not self.sub_dict.get("SUFFIX"): self.sub_dict["SUFFIX"] = suffix + if not self.sub_dict.get("ESCAPED_SUFFIX"): + self.sub_dict["ESCAPED_SUFFIX"] = escape_dn_chars(suffix) if not self.sub_dict.get("LIBARCH"): self.sub_dict["LIBARCH"] = libarch if not self.sub_dict.get("TIME"): -- cgit